[Chameleon] BoundingBoxPopup error

Paul Spencer pspencer at dmsolutions.ca
Mon Dec 20 10:41:15 EST 2004 

Scott,

this problem is not easily solved.  Chameleon session management 
attempts to prevent session hijacking (or fixation) for security reasons 
... what this means is that when you start a session, the URL that you 
connected from is recorded in the session.  When subsequent requests 
arrive, the current URL is tested against the one in the session.  If 
they don't match, the session is immediately terminated.

When you include an absolute URL in the chameleon.xml file, this has a 
strange side effect because the session will record the URL that the 
user used to connect, but popups are launched using the URL from 
chameleon.xml.  If they aren't the same, you end up with this problem.

If you use a relative URL, then chameleon figures out the right host for 
popups from the URL the user is using.

I think this is primarily a documentation issue, the way this works 
should be left as-is to allow for tighter security, but it should be 
clearly documented somewhere what the implications of using different 
configurations in chameleon.xml are.

Thanks for finding this out and reporting it on the list.  Until you 
brought this up, I hadn't really realized that this would happen.  Seems 
obvious now ;)

Cheers,

Paul

Tweedy, Scott wrote:
> OK this problems seems to be solved, but in solving it I have to ask if
> anyone else has run into the same issue.
> 
> I'm running Chameleon 1.99 on a Linux box.  In my chameleon.xml
> configuration file I defined the web_server_path variable as the absolute
> path to chameleon using the IP address of the computer ie:
> 
> <param-name>web_server_path</param-name>
> <param-value>http://111.222.333.444/chameleon/</param-value>
> 
> When I was testing in Netscape and IE I used the server name in the URL ie:
> http://servername/applicationName
> 
> and the BoundingBoxPopup produced the JavaScript exception errors listed in
> the original e-mail and the BoudingBoxPopup widget wouldn't work properly.
> When someone tested the application using the IP address of the computer in
> the URL ie:
> http://111.222.333.444/applicationName
> 
> everything worked properly.  It seems that Chameleon is reading the absolute
> path from the XML and if it doesn't match exactly (I did some other
> variations) then these JavaScript errors occur.  I've since changed the
> web_server_path variable to the relative value of "/chameleon/" and things
> seem to work correctly.
> 
> Has anyone else had this problem with IP address v. server name or alias?
> 
> st
> 
> -----Original Message-----
> From: chameleon-bounces at lists.maptools.org
> [mailto:chameleon-bounces at lists.maptools.org]On Behalf Of Tweedy, Scott
> Sent: Wednesday, October 06, 2004 1:28 PM
> To: 'chameleon at lists.maptools.org'
> Subject: [Chameleon] BoundingBoxPopup error
> 
> 
> I'm getting an error when I'm trying to use the BoundingBoxPopup widget.
> The widget seems to open fine when In click on its button, but in the the
> JavaScript Console I get the following error:
> 
> Error: uncaught exception: Permission denied to get property
> Window.getMapExtents
> 
> When I enter coordinates in any of the boxes and click Zoom, nothing happens
> and I get this error in the JavaScript Console:
> 
> Error: uncaught exception: Permission denied to get property
> Window.applyBoundingBox
> 
> Any ideas on why this might happen?
> 
> Thanks in advance,
> st
> _______________________________________________
> Chameleon mailing list
> Chameleon at lists.maptools.org
> http://lists.maptools.org/mailman/listinfo/chameleon
> _______________________________________________
> Chameleon mailing list
> Chameleon at lists.maptools.org
> http://lists.maptools.org/mailman/listinfo/chameleon
> 

-- 
+-----------------------------------------------------------------+
|Paul Spencer                           pspencer at dmsolutions.ca   |
+-----------------------------------------------------------------+
|Applications & Software Development                              |
|DM Solutions Group Inc                 http://www.dmsolutions.ca/|
+-----------------------------------------------------------------+

More information about the Chameleon mailing list